Facebook Password Requests Put Your Company at Risk

Six Major Trends Will Drive Identity and Access Management and Privacy Management in 2012

I read a story yesterday that literally made my jaw drop. Job interviewers are asking potential employees for their Facebook passwords. Not just their Facebook site address, but the person's actual password so the interviewer can log into the site and have access to everything. An Associated Press piece published by Bloomberg Businessweek explained it this way:

In their efforts to vet applicants, some companies and government agencies are going beyond merely glancing at a person's social networking profiles and instead asking to log in as the user to have a look around.

Many are questioning the legalities of the practice, and the article retells the story of one person who ended the interview and withdrew his application after the request.

This story and this practice disturb me on oh-so-many levels. The pieces I've read focus on a job applicant's right to privacy, and there was the typical advice of what not to post on social media sites. I've written before that young adults don't have the same sense of privacy that older adults, who did not grow up in the electronic media age, have, and that could be a concern both in the job search and in the workplace. But this isn't about what you post publicly, but what is buried underneath and supposedly private.

However, I also see massive security implications here, and the damage of handing over your social media site password could go beyond the privacy of a job seeker's private Facebook messages and photos. Because users tend to use the same password on multiple sites, the chances are very good that the password used for Facebook is also used for other social media sites, email accounts, online retail accounts and so on. The person who now has your email and your password now has access to a whole lot of data on you.

The interviewer could also have access to data for the job seeker's current or past employers' networks if there is any kind of overlap on password use. If an interviewer is going to dig deep into a social media site to see what a potential employee is doing on a personal site, why wouldn't they want to know more about the person's actual work life? Here's the chance to fact check the resume by accessing work email or maybe even go deeper into the network to access files. Who knows what sort of corporate data could be mined because someone handed over a Facebook username and password.

This highlights why employers should insist that employees use unique passwords for work-related access. A better solution may be multi-authentication access - a password and another step - to access the corporate network. Or require network-related passwords be changed frequently. In any case, it is a good reason for companies to look closer at their password security.

And if you are one of those companies that ask for Facebook passwords, I'd love to know why.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.